Researchers: 'Blue Pill' Rootkit Detectable

A group of researchers has coded a detector they say can ferret out a supposedly "100 percent undetectable" hypervisor rootkit.

0shares

Joanna Rutkowska, the security researcher who one year ago built a working prototype, code-named Blue Pill, of a rootkit capable of creating malware that remains "100 percent undetectable," has tacitly conceded to a group of security researchers that the detector code they cooked up in the past month will in fact ferret out Blue Pillat this point in its development, at any rate.

Tom Ptacek, security researcher and founder of New York-based Matasano Security, posted a note on June 27 saying that he, along with his fellow security researchers who had worked on hypervisor rootkit detection, were inviting Rutkowska to a challenge at Black Hat Briefings in Las Vegas sometime on Aug. 1 or 2.

"Joanna, we respectfully request terms under which you'd agree to an 'undetectable rootkit detection challenge.' We'll concede almost anything reasonable; we want the same access to the (possibly-)infected machine that any anti-virus software would get," Ptacek wrote.

Rutkowska posted a message saying she was ready for the challenge. But she stipulated that the challenging researchersPtacek, Nate Lawson of Root Labs, Symantec researcher Peter Ferrie and Matasano's Dino Dai Zovifund two people, full-time for six months at $200 per hour, to develop the rootkit to a state of readiness.

"She says she'll have completed it enough to compete in conference by then," Lawson said to eWEEK in an interview. "For $416,000 she wants us to pay her to write a rootkit which we're confident we'll be able to detect. We spent one one-person month coding the detector, and it will take her 16 times longer than it took us to write the detector, and we still believe we'll win."

"Nobody said that writing rootkits is an easy process," Rutkowska retorted in an e-mail exchange with eWEEK. "It is not, it requires time to make a rootkit something more than a prototype."

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service